Sunnyvale, Calif.-based Fortinet said the worm -- which also goes by names such as Nyxem.e, MyWife.d, Grew.a, and Blackmal.e -- adds 18 entries to the Windows Registry to slip the ActiveX control by the operating system's defenses. "By creating the following entries, the control is considered 'safe' and digitally signed," said the Fortinet advisory.
The ActiveX control, added Fortinet, is used by the worm to automatically run its code each time the PC is turned on and Windows boots.
"The threat of worms like this will make them much more dangerous in the future," said Bojan Zdrnja, an analyst for the Internet Storm Center, on the group's site. "If a worm puts a fake certificate on an infected machine, MITM [Man-In-The-Middle] attacks become extremely easy. Of course, we all know that once the machine is infected you can't trust it, but this looks like another (big) problem for the average user."
As of late Monday, the Kama Sutra worm had infected more than 630,000 systems, said the Internet Storm Center.
The worm is considered particularly dangerous because it contains code that triggers an overwrite of all .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp files on the third of each month.